NEWS AND NOTES RELEVANT TO CYBER/DATA SECURITY AND COMPLIANCE

Avakian also discussed the Commission’s 2016 enforcement interests in issues related to cybersecurity. She noted that the Commission’s focus falls in three areas: (1) cases where there has been a failure to safeguard customers’ information (citing the Commission’s administrative proceeding against R.T. Jones Capital Equities Management, Admin. Proc. No. 3-16827, in which R.T. Jones agreed to a cease and desist order as well as censure and a $75,000 penalty arising from the Commission’s charges that the firm violated Regulation S-P by “entirely” failing to have policies in place in advance of a data breach where sensitive client information that was stored on a third party web server was hacked); (2) cases where material confidential information has been stolen for the purpose of illegal trading or market manipulation (citing a “wide scale hacking case” brought by the Commission in August 2015 against over thirty defendants whose hacking scheme generated over $100 million in illegal profits based on the use of stolen material, non-public information); and (3) cyber disclosure failures. Avakian noted that, while the Commission has brought cases in the first two categories, it has yet to bring a case charging cyber disclosure failures. She also emphasized the Commission’s view that a firm that has been the victim of a cyber-attack is just that—“a victim”—and encouraged companies to self-report rather than stay silent for fear of being investigated by the SEC or other governmental agencies. Avakian explained that the Commission understands and appreciates that “it may be difficult to assess the impact and extent of [an] intrusion,” and that “decisions about whether, when and what to disclose can be very difficult.” She further noted that “whether a company self-reported to law enforcement is a significant factor” and explained that the SEC “will give substantial credit for having reported.” Askari Foy, Associate Director of the Technology Controls Program in the Office of Compliance Inspections and Examinations, echoed these comments, noting that the Division’s main priority in 2016 will be to ensure that firms have written cyber security policies and procedures in place. He emphasized, however, that the Commission is not a “gotcha regulator” in this space and that its focus is on whether firms show a demonstrated commitment to developing an effective information security program, including by addressing data governance issues “at the highest level,” not just leaving such matters solely to the IT department. MORE